Active diirecotry
64
Active Directory for Windows Server
-
Upload
pradeesh-stanislavose -
Category
Education
-
view
336 -
download
1
description
Active Directory Fundamentals Roles Functions
Transcript of Active diirecotry
Active Directory for Windows Server
Index
Active Directory Introduction Active Directory Basics Components of Active Directory Active Directory hierarchical structure. Active Directory Database. Flexible Single Master Operations (FSMO)Role Active Directory Services.
Active Directory Introduction
What is Active Directory ? Active Directory is Microsoft's version of X.500
recommendations. It 's database and directory service , which maintains the relations ship between resources and enable them to work together. It provide centralized repository for user account information and directory authentication , authorization and assignment of right and permissions.
It store information in hierarchical tree like structure . It depends on two Internet standard one is DNS and other is LDAP. Information in Active directory can be queried by using LDAP protocol and it use Kerberos V5 for authentication.
Do I Need Active Directory
If I want to centrally manage access to resources such as printers, users and group.
If I want to control user accounts from one location.
If I have application that rely on Active Directory.
Active Directory Basic Active Directory Basic
The Basic X.500 Recommendations Domain Naming System (DNS) LDAP Schema Replication Global catalog Components of Active Directory
What is X.500 Recommendations
To address the needs of organizations, the Institute of Electrical and Electronics Engineers (IEEE) developed a set of recommendations that defined how a directory service should address the needs of administrators and efficiently allow management of network resources . These recommendations, known as the X.500 recommendations
Domain Naming System (DNS)
Domain Naming System (DNS) is the hierarchical naming and a domain name resolution system used on Internet and windows network for naming resolution.
It converts the domain name into its related IP address.
Active Directory is Depends of DNS , both share the same zone-naming conventions. If DSN server fail it cause to fail active directory too fail.
LDAP
LDAP is a directory access protocol , which is used to exchange directory information from server to clients or from server to server .
Port number for LDAP is 389. It was initially used as front-end to X.500 , but
can also be used with Stand-alone and other kinds of directory servers.
Schema
The Schema acts as the building blocks of Active Directory. It holds all of the information needed to created users, groups, computers, and so on within Active Directory . The Schema defines the classes of objects that are allowed within a directory and attributes that are associated with those objects. These must be consistent across domain in order for security policies and access rights to function correctly. It defines how each attribute can be used and the properties associated with the attribute.
Schema Attribute To Standardize Active Directory , the Schema
defines the attributes that can be used when creating objects. These attribute defined only once and can be used for any object.
Defining the attribute once and using it for multiple objects allows for a standardized approach of defining objects,
E.g.. of attribute is name Each attribute within the schema has to have a
unique OID (Object Identifier).
To be Continue...........
These OID are registered and maintained by the Internet Assigned Numbers Authority (IANA). Once assigned , the OID Should not be used by any other attribute.
New attributes will need to be assigned an OID . If you are adding an attribute for use in object , you should register it with the IANA to safeguard the attribute and to make sure that it does not step on any other attributes. Registration is free and as long as your OID is unique , you should be issued an OID for your attribute .
To be continue .............
Schema classes.
An object Class is a defined grouping of attributes that make up a unique resource type.
One of the most common object class is the user class. Use the user object class as the template for a user account. When you create a user , the attributes that are defined for the user object class are used to define the new account.
Replication
Replication is Process of making a replica (a copy) of something.
Replication is the automatic synchronization of data that occurs among domain controllers.
Any changes to the user account are made on one of the domain controllers and the sent to every other domain controller within the domain this transfer of data is called replication.
Replication of information can be burden on network to reduce the replication burden on the network Active Directory replicates only the attributes that have been changed not the entire object.
Synchronization
Process of making two or more data storage devices or programs (in the same of different computers) having exactly the same information at a given time.
Global Catalog
Global Catalog maintains indexes about objects. It contains full information of the objects in its own domain and partial information of the objects in other domains. Universal Group membership information will be stored in global catalog servers and replicate to all GC's in the forest.
Port number for Global Catalog is 3268
Component of Active Directory
Component of Active Directory
There are two type of components Logical Components
Domain Tree Forest Organizational unit.
Physical Components Site Domain Controller.
Logical Component of Active Directory
Domain
The Domain is the core unit of logical structure in Active Directory. All Objects which share a common directory database, trust relationship with other domain and security policies is know as Domain.
Each domain stores information about the objects that belong to that domain.
All Security polices and settings , such as Administrative rights, security policies, and Access Control Lists (ACL's), do not cross from one domain to another,
Domain Administrator has full rights to set policies only within domain they belong to.
Domains provide administrative boundaries for objects; manage security for share resources and unit of replication for objects.
Tree
Trees are collections of one or more domains that allow global resource sharing. A tree may consist of a Single domain or multiple domains in a contiguous namespace.
Adding a domain to a tree becomes a child of the tree root domain. Domain will be called parent domain to which child domain is attached . A child domain can also have its multiple child domains. Child domain uses the name followed by parent domain name and gets a unique Domain Name System (DNS) .
Forest
A Forest is a collection of multiple trees that share a common global catalog, directory schema, logical structure, and directory configuration.
The Primary security boundary for Active Directory is Forest, Which contain domain trees
Forests allow organizations to group their divisions which use different naming scheme, and may need to operate independently . But as an organization they want to communicate with the entire organization via transitive trusts, and share the same schema and configuration container.
The first domain you create in the forest is called the forest root domain.
Organizational unit
It is a logical component of Active Directory and is used to organize users, groups and computers.
Physical Component of Active Directory
Site
Site Contain Active Directory resources that are all connected by reliable high-speed bandwidth a minimum of 10 MB. Site membership is used in the logon process as a computer attempts to locate domain controllers in its own site first, in replication , in accessing global catalogues and in exchange server messaging infrastructure
Domain Controller
Domain Controller is a single computer or Server that hold and controls Active Directory database.
It is the physical components of Active Directory and is used to control and manage the domains in a organization's forest.
Active Directory Hierarchical Structure
Active Directory Hierarchical Structure
Forest root domain
Domain Tree
Domain Tree Domain Tree
Forest
Active Directory Hierarchical Structure
The Primary security boundary for Active Directory is Forest, Which contain domain trees.
There can be one or more domain trees in a forest though the first domain is designated as the forest root domain . A domain tree can contain multiple domains that share a common namespace. And regardless of the number of domain trees in a forest, there is centralized administration at the forest level with permissions to all domain trees. Each forest has an Enterprise Admins group as well as
to be continue......
To to continue........
Schema Admins group. Member of there groups have authority over all the domain trees in the forest .
All domain controller within the forest share the same schema.
Each domain has a domain Admin group and administrators .
In a parent domain automatically have administrative permissions to all child domains through automatic transitive trust relationships. These type of structure is know as hierarchical structure.
Active Directory Database
Active Directory Database Active Directory stores its data in a file name
ntds.dit. In addition to using the database file , Active
Directory uses log file that store information prior to committing it to database that are edb.log, edb.chk , res1.log, res2.log. By default , this file is located in %systemroot%/NTDS folder.
During AD installation , Dcpromo lets you specify alternative locations for these log files and database files or you can use ntdsutil to move database to alternate location after installation.
Move database to other location
Start computer in directory service restore mode and log on with directory service restore mode Administrator account and open command prompt. Then type
NtdstuiNtdstuil (press enter)
Files (press enter)
Move DB to <new directory location path>
(press enter.)
Move log file to other location
Start computer in directory service restore mode and log on with directory service restore mode Administrator account and open command prompt. Then type
NtdstuiNtdstuil (press enter)
Files (press enter)
Move logs to <new directory location path>
(press enter.)
Flexible Single Master Operations
(FSMO Role)
What Are the FSMO Roles? FSMO roles are specialized services within
Active Directory that should be performed only by a single domain controller.
There are five roles make up the FSMO (Flexible Single Master Operations) : Schema Maser. Domain Naming Master. Infrastructure Master. Relative Identifier (RID )Master. Primary Domain Controller (PDC) Emulator.
All five of these roles coexist on one domain controller , or you can move them so that they all run on their own independent domain controller.
FSMO Role:- Schema Master
The Schema master domain controller controls all updates and modifications to the schema . Once the schema update is complete, it is replicated from the schema to all other DC in the directory.
To update the schema of a forest, you must have access to the schema master
There can be only one schema master is the whole forest.
To see all FSMO role run the commandNetdom query /domain:<domain>
FSMO Role:- Domain Naming Master
The Domain naming master domain controls the addition or removal of domains in the forest.
There can be only one domain naming master in the whole forest.
FSMO Role:- Infrastructure Master
The Infrastructure Master Domain Controller responsible for updating an object's SID and distinguished name in a cross-domain.
There can be only one domain controller acting as the infrastructure master in each domain.
The infrastructure master (IM) role should be held by a domain controller that is not a global catalog Server . IF the infrastructure master runs on a Global catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds
To be continue ..........
To be continue ......
A partial replica of every object in the forest . As a result, cross domain object references in that domain will not be updated and a warning to the effect will be logged on that DC event log.
If all domain controllers in domain also host the global catalog, all the domain controllers have the current data and it is not important which domain controller holds the infrastructure master role.
FSMO Role:- RID Master
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain.
When DC creates a security principle object such as user or group it attaches a unique security ID (SID) to object. This SID consists of domain SID (The same for all SID's created in a domain) , and a relative ID (RID) that is unique for each security principal SID created in a domain.
Each DC in a domain is allocated a pool of RID that it is allowed to assign to the security principal it creates.
To be continue....
To be continue ...
When a DC's allocated RID pool falls below a threshold , that DC issues a request for additional RIDs to the Domain's RID Master. The Domain RID master responds to request by retrieving RIDs from the domains unallocated RID Pool and assigns them to the pool of the requesting DC.
At any one time there can be only one domain controller acting as RID master in the domain.
FSMO Role:- PDC Emulator The PDC emulator is necessary to synchronize
time in an enterprise windows. Windows 2000/2003 includes the W32Time
time service that is required by the Kerberos authentication protocol.
All windows 2000/2003 base computes within an enterprise use a common time . The purpose of the time service is to ensure that the windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain the PDC emulator at the root of the forest become authoritative for the enterprise. And should be configured to gather the time from an external source.
To be continue ...
All pdc fsmo role holders follow the hierarchy of domains in selection on their in bound time partner.
The PDC emulator role holder retains the following function. Password changes performed by other DC's in the
domain are replicated preferentially to the PDC emulator.
Authentication failures that occur at the given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on PDC emulator Editing or creation of group policy objects (GPO) is
always done from the GPO copy found in the PDC emulator's SYSVOL share, unless configured not to do so by the administer.
An any one time there can be only one DC acting as PDC emulator master in each domain in the forest.
Viewing FSMO holder Command to check all fsmo Role holder in
domain domain.local Netdom query fsmo /domain:domain.local
Using Dcdiag:Dcdiag /test:knowsofroleholders /v You can find individual role holders with the
dsquery command:- To find the Schema masterdsquery server -hasfsmo schema To find the Domain naming masterdsquery server -hasfsmo name To find the infrasturcture masterdsquery server -hasfsmo infr To find the RID Masterdsquery server -hasfsmo rid To find the PDC Emulatordsquery server -hasfsmo pdc
Active Directory Services
Active Directory services
Distributed File System Domain name System (DNS) server File Replication Intersite messaging Kerberos key Distribution Center Remote Procedure Call (RPC) Locator Active Directory Domain Service (ADDS) Active Directory Lightweight Directory Services Active Directory Federation Services Active Directory Right management Service Active Directory Certificate Service
Active Directory services
Distributed File System :- Manages logical volumes across local and wide are network
Domain name System (DNS) server:- Responds to DNS queries and dynamic DNS Requests.
File Replication :- Allows files to be copied and maintained across multiple Servers.
Intersite messaging:- Allows Messages to be exchanged between windows servers.
Kerberos key Distribution Center:- Enables user to log onto domain using the Kerberos authentication protocol
To be Continue ............
Active Directory services
Remote Procedure Call (RPC) Locator:- Enables RPC clients using RpcNS*APIs to locate RPC Servers.
Active Directory Domain Service (ADDS):- Stores all information about resources on the network , such as user, computer and other devices.
Active Directory Lightweight Directory Services:- Allows administers to create small version of Active Directory that run as non-operating system services.
Active Directory Federation Services:- Provides Web single Sign-on (SSO) technologies to authenticate users to multiple web applications in a single session.
To be continue ...
Active Directory services
Active Directory Right management Service:- Protect and secure information from unauthorized use online and offline, inside and outside of the environment.
Active Directory Certificate Service :- Allows the mapping of users and resources to private key to help secure identity in public key infrastructure PKI base environment.
Finding highly privileged group membership
You can view membership into highly privileged domain group using net.ext utility at command prompt.
net.ext group <domain-group-name> /DOMAIN
For eg to view membership in Domain Admins Group command is like :
net.exe group “Domain Admins” /Domain
Finding users that have not logged on since last month
You can find such account in your organization's domain by using net.exe command
net.exe user <username> /Domain It return the domain account information about
the user such as whaen user's password was last set , when the user's current password expires and when the user last logged on.
net.exe user Testuser /Domain
ORnet.exe user Testuser /Domain | findstr “Last logon”
SOME USEFULL UTILITY Repadmin NetDiag DCDiag DNSCMD DNSLint Account lockout and management tool.
Repadmin the replication diagnostic tool more commonly
known by its short name repadmin, can help to diagnose Active Directory replication problem between Domain Controllers
Its Verify replication consistency between replication partners , monitor replication status , display replication metadata, and force replication events and topology recalculation.
Using this tool administrators can look at the replication topology as seen from the point of view of each domain controller.
You can also use repadmin to force replication between domain controller or to manually create a replication topology.
Netgiag
Check end to end network connectivity and distributed services functions.
The command line tool can be used to help diagnose and isolate connectivity issues in your network. It does this by performing a number of tests on the system and displaying network and configuration information
DCDiag DCDiag is a command line utility that will run
diagnostic test s against the domain controller. It runs several tests , and output can span many screen.
If you want to perform specific tests against the domain controller, use the /test: switch for instance. If you want to make sure that the replication topology is fully interconnected issue the following command
Dcdiag /test:topology To test that replication is functioning properly; issue
the commandDcdiag /test:replicationsTo view the status of global catalog replication use the
command dcdiag /v /s:domain_controller_name | find “%”
DNSCMD
This command line tool is found in the support tools folder of the windows server CD and enable you to create , modify , and delete resource records and zones.
If you want to view the DNS information and statistics of server type Dnscmd <Sever name > /info
other useful switches with dnscmd are as follows/Zoneinfo : this will display information about the
target zone./DirectoryPartitioninfo : this command will display the
directory partition information for target partition.
DNSLint This is a command line utility for windows server 2003
and higher and is located in the support tools folder of the windows server cd .
It can be used to check for and verify DNS records and server functionality and to generate a report in HTML
dnsline /d domain_name | /ad [LDAP_IP_Address] | /ql input_file [/c] A [smtp,pop,imap] [/no_open] [/r report_name] [/t] [/test_tcp] A[/s DNS_IP_address] [/v] [/y]
eg:-dnsline /AD When using DNSLint you must specify one of
three switches - /d, /ql , or /ad /d : Diagnoses problem , /ql : verifies a user defined set of
DNS records , /ad : verifies DNS records specifically used for active directory replication
Account Lockout and Management Tool
The acctinfo.dll file is actuall part of the Account Lockout and management tools you can download from Microsoft.
Acctinfo.dll includes an additional property page for the user-account properties. This additional property page will allow you to determine when the account's password was set, when the password expires, when the user last logged on or off the domain as well as other lockout information.
LockoutStatus.exe display information concerning a locked out account. Use this tool to determine which computer were involved in the lockout by the account and when the lockout occurred.
Reference
Google Mastering Active Directory for windows server
2008 by john A.Price Microsoft press Exchange server 2003
THE END
PSA
